<!DOCTYPE html>
<html lang="zh_cn">
<head>
          <title>来玩魔王的咚</title>
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <meta charset="utf-8" />
        <!-- twitter card metadata -->
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="/images/mowang.png">
<meta name="twitter:site" content="">
<meta name="twitter:title" content="Ansible 加密模块">
<meta name="twitter:description" content="<p>加密文件：加密配置文件并使用，使用文件加密；加密变量：通过文件加密，通过密码加密，加上用户标识；使用debug模块进行调试</p>">
        <!-- OG Tags -->
<meta property="og:url" content="/ansible-vault.html"/>
<meta property="og:title" content="来玩魔王的咚 | Ansible 加密模块" />
<meta property="og:description" content="<p>加密文件：加密配置文件并使用，使用文件加密；加密变量：通过文件加密，通过密码加密，加上用户标识；使用debug模块进行调试</p>" />
        <!-- favicon -->
        <link rel="icon" type="image/png" href="/images/mowang.png">
        <!-- moment.js for date formatting -->
        <script src="/theme/js/moment.js"></script>
        <!-- css -->
        <link rel="stylesheet" type="text/css" href="/theme/css/main.css" />
        <!-- 左边的menu，如果页面高度不够，就跟着滚动，否则文章分类显示不全 -->
        <link rel="stylesheet" type="text/css" href="/theme/css/mycss/menu.css" />
		<script>
			
                /*! grunt-grunticon Stylesheet Loader - v2.1.2 | https://github.com/filamentgroup/grunticon | (c) 2015 Scott Jehl, Filament Group, Inc. | MIT license. */
    
    (function(e){function t(t,n,r,o){"use strict";function a(){for(var e,n=0;u.length>n;n++)u[n].href&&u[n].href.indexOf(t)>-1&&(e=!0);e?i.media=r||"all":setTimeout(a)}var i=e.document.createElement("link"),l=n||e.document.getElementsByTagName("script")[0],u=e.document.styleSheets;return i.rel="stylesheet",i.href=t,i.media="only x",i.onload=o||null,l.parentNode.insertBefore(i,l),a(),i}var n=function(r,o){"use strict";if(r&&3===r.length){var a=e.navigator,i=e.Image,l=!(!document.createElementNS||!document.createElementNS("http://www.w3.org/2000/svg","svg").createSVGRect||!document.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#Image","1.1")||e.opera&&-1===a.userAgent.indexOf("Chrome")||-1!==a.userAgent.indexOf("Series40")),u=new i;u.onerror=function(){n.method="png",n.href=r[2],t(r[2])},u.onload=function(){var e=1===u.width&&1===u.height,a=r[e&&l?0:e?1:2];n.method=e&&l?"svg":e?"datapng":"png",n.href=a,t(a,null,null,o)},u.src="",document.documentElement.className+=" grunticon"}};n.loadCSS=t,e.grunticon=n})(this);(function(e,t){"use strict";var n=t.document,r="grunticon:",o=function(e){if(n.attachEvent?"complete"===n.readyState:"loading"!==n.readyState)e();else{var t=!1;n.addEventListener("readystatechange",function(){t||(t=!0,e())},!1)}},a=function(e){return t.document.querySelector('link[href$="'+e+'"]')},c=function(e){var t,n,o,a,c,i,u={};if(t=e.sheet,!t)return u;n=t.cssRules?t.cssRules:t.rules;for(var l=0;n.length>l;l++)o=n[l].cssText,a=r+n[l].selectorText,c=o.split(");")[0].match(/US\-ASCII\,([^"']+)/),c&&c[1]&&(i=decodeURIComponent(c[1]),u[a]=i);return u},i=function(e){var t,o,a;o="data-grunticon-embed";for(var c in e)if(a=c.slice(r.length),t=n.querySelectorAll(a+"["+o+"]"),t.length)for(var i=0;t.length>i;i++)t[i].innerHTML=e[c],t[i].style.backgroundImage="none",t[i].removeAttribute(o);return t},u=function(t){"svg"===e.method&&o(function(){i(c(a(e.href))),"function"==typeof t&&t()})};e.embedIcons=i,e.getCSS=a,e.getIcons=c,e.ready=o,e.svgLoadedCallback=u,e.embedSVG=u})(grunticon,this);
                
                grunticon(["/theme/css/icons.data.svg.css", "/theme/css/icons.data.png.css", "/theme/css/icons.fallback.css"]);
            </script>
        <noscript><link href="/theme/css/icons.fallback.css" rel="stylesheet"></noscript>
        <!-- menu toggle javascript -->
        <script type="text/javascript">
            document.addEventListener("DOMContentLoaded", initMenu);
            
            function initMenu(){
                var menu = document.getElementById("menu");
                var menulink = document.getElementById("menu-link");
                menulink.addEventListener("click", function toggleMenu(){
                        window.event.preventDefault();
                        menulink.classList.toggle('active');
                        menu.classList.toggle('active');              
                    });
            };
        </script>
        <!-- 不蒜子 -->
        <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

    <meta name="description" content="<p>加密文件：加密配置文件并使用，使用文件加密；加密变量：通过文件加密，通过密码加密，加上用户标识；使用debug模块进行调试</p>" />

    <meta name="tags" content="ansible" />
  <!-- 替换部分base的样式，看文章时，要再宽一点，右边有很多空间可以撑开 -->
  <link rel="stylesheet" type="text/css" href="/theme/css/mycss/article.css" />

</head>
<body>
    <div role="banner" id="masthead">
        <header>
            <a href="/"><img src="/images/mowang.png" alt="McManus Logo"></a>
                <h1>来玩魔王的咚@骑士救兵</h1>
            <a href="#menu" id="menu-link">more stuff</a>
            <nav id="menu">
                <ul>
                        <li><a href="/tags">tags</a></li>
                            <li><a href="/category/cloud.html">Cloud</a></li>
                            <li><a href="/category/docker.html">Docker</a></li>
                            <li><a href="/category/go.html">Go</a></li>
                            <li><a href="/category/linux.html">Linux</a></li>
                            <li><a href="/category/python.html">Python</a></li>
                            <li><a href="/category/xue-xi-bi-ji.html">学习笔记</a></li>
                            <li class="active"><a href="/category/yun-wei-zi-dong-hua.html">运维自动化</a></li>
                </ul>
            </nav>
        </header>
    </div>
        <div class="page" role="main">
  <div class="article" role="article">
    <article>
        <footer>
            <a name="top"></a>
            <p>
              <time datetime=" 2019-08-25 09:43:51+08:00">
                <script>document.write(moment('2019-08-25 09:43:51+08:00').format('LL'));</script>
              </time>
              ~
              <time datetime=" 2019-08-25 09:43:51+08:00">
                <script>document.write(moment('2021-06-28 18:00:00+08:00').format('LL'));</script>
              </time>
            </p>
        </footer>
        <header>
          <h2>
            Ansible 加密模块
          </h2>
        </header>
      <div class="content">
         <div class="toc">
<ul>
<li><a href="#jia-mi-wen-jian">加密文件</a><ul>
<li><a href="#jia-mi-pei-zhi-wen-jian">加密配置文件</a></li>
<li><a href="#shi-yong-wen-jian-jia-mi">使用文件加密</a></li>
</ul>
</li>
<li><a href="#jia-mi-bian-liang">加密变量</a><ul>
<li><a href="#tong-guo-wen-jian-jia-mi">通过文件加密</a></li>
<li><a href="#shou-dong-shu-ru-mi-ma">手动输入密码</a></li>
<li><a href="#jia-shang-yong-hu-biao-zhi">加上用户标识</a></li>
</ul>
</li>
<li><a href="#qi-ta-ji-qiao">其他技巧</a><ul>
<li><a href="#shi-yong-debug-mo-kuai-jin-xing-tiao-shi">使用debug模块进行调试</a></li>
<li><a href="#she-zhi-pei-zhi-wen-jian">设置配置文件</a></li>
<li><a href="#zi-dong-sheng-cheng-sui-ji-mi-ma">自动生成随机密码</a></li>
</ul>
</li>
</ul>
</div>
<p>ansible-vault 主要用于配置文件加密，可以加密或解密，具体使用方式如下：</p>
<div class="highlight"><pre><span></span><code>Usage: ansible-vault <span class="o">[</span>create<span class="p">|</span>decrypt<span class="p">|</span>edit<span class="p">|</span>encrypt<span class="p">|</span>encrypt_string<span class="p">|</span>rekey<span class="p">|</span>view<span class="o">]</span> <span class="o">[</span>options<span class="o">]</span> <span class="o">[</span>vaultfile.yml<span class="o">]</span>
</code></pre></div>

<p>可以看到有很多子命令：</p>
<ul>
<li>create: 创建一个新文件，并直接对其进行加密</li>
<li>decrypt: 解密文件</li>
<li>edit: 用于编辑 ansible-vault 加密过的文件</li>
<li>encrypy: 加密文件</li>
<li>encrypt_strin: 加密字符串，字符串从命令行获取</li>
<li>view: 查看经过加密的文件</li>
</ul>
<h3 id="jia-mi-wen-jian"><a class="toclink" href="#jia-mi-wen-jian">加密文件</a></h3>
<p>先自己创建一个文件，写入一些内容：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span><span class="nb">echo</span> <span class="s2">&quot;123456&quot;</span> &gt; pass.txt
<span class="gp">[root@Ansible ~]# </span>cat pass.txt 
<span class="go">123456</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>然后用 ansible-vault encrypt 加密文件：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault encrypt pass.txt
<span class="go">New Vault password: </span>
<span class="go">Confirm New Vault password: </span>
<span class="go">Encryption successful</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>这里会要求输入密码。</p>
<p>现在再去打开文件看看：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>cat pass.txt 
<span class="gp">$</span>ANSIBLE_VAULT<span class="p">;</span><span class="m">1</span>.1<span class="p">;</span>AES256
<span class="go">62633762393035316438663662343964656465376634393131313466313536336361333163313238</span>
<span class="go">6162356161653365623961353533356264386134653830640a353531623635653337636564383763</span>
<span class="go">38316636383334323533363666383963666161633332663461316338333332623434376162326265</span>
<span class="go">6565623130373539330a313737646431626131336637663033656664383932393934633337383666</span>
<span class="go">6334</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>查看文件内容，可以用 ansible-vault view 命令：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault view pass.txt
<span class="go">Vault password: </span>
<span class="go">123456</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>把文件还原可以用 ansible-vault decrypt 命令：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault decrypt pass.txt
<span class="go">Vault password: </span>
<span class="go">Decryption successful</span>
<span class="gp">[root@Ansible ~]# </span>cat pass.txt 
<span class="go">123456</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<h4 id="jia-mi-pei-zhi-wen-jian"><a class="toclink" href="#jia-mi-pei-zhi-wen-jian">加密配置文件</a></h4>
<p>上面的演示内容只是一个小工具的单独使用，这里看看结合ansible命令的使用。<br>
在/etc/ansible/hosts文件中新加一台主机用于测试：</p>
<div class="highlight"><pre><span></span><code>host1 ansible_host=127.0.0.1 ansible_connection=local
</code></pre></div>

<p>这里加的就是本机。</p>
<p>然后单独创建这台主机的变量文件 /etc/ansible/host_vars/host1 ，随便写入一些变量：</p>
<div class="highlight"><pre><span></span><code><span class="n">key1</span><span class="o">:</span><span class="w"> </span><span class="n">vaule1</span><span class="w"></span>
<span class="n">key2</span><span class="o">:</span><span class="w"> </span><span class="n">VALUE2</span><span class="w"></span>
</code></pre></div>

<p>先来验证一下：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span> 
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key2=VALUE2</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>现在把配置文件加密：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault encrypt /etc/ansible/host_vars/host1 
<span class="go">New Vault password: </span>
<span class="go">Confirm New Vault password: </span>
<span class="go">Encryption successful</span>
<span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span> 
<span class="go">ERROR! Attempting to decrypt but no vault secrets found</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>加密后再运行就不管用了，这里需要加一个参数 --ask-vault-pass 来提供vault加密的密码：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span>  --ask-vault-pass
<span class="go">Vault password: </span>
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key2=VALUE2</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<h4 id="shi-yong-wen-jian-jia-mi"><a class="toclink" href="#shi-yong-wen-jian-jia-mi">使用文件加密</a></h4>
<p>之前都是直接使用密码进行加密。对我们来说，其实只是把一个密码用另一个密码加密了。在使用的时候，我们不使用原来的密码，而是使用vault的密码。<br>
为了方便不用每次都输入密码，可以把密码写在文件中。不过直接把密码明文写在文件中总是不安全的。利用 ansible-vault 就是让我们可以把密码直接写在配置中（也可以是一个单独的配置文件），然后把有敏感信息的文件加密。这样做的好处是，整个项目所有的配置信息都是全的，包括项目中使用的密码，并且是加密的。<br>
如果每次使用时仍然不想输入密码，也可以把vault的密码写到文件中（明文的），这样每次使用时就不是手动输入，而是让ansible自动从文件中获取这个密码。  </p>
<p>还是重复使用之前的配置文件，先把文件进行解密：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault decrypt /etc/ansible/host_vars/host1 
<span class="go">Vault password: </span>
<span class="go">Decryption successful</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>然后再生成文件后用文件进行加密：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span><span class="nb">echo</span> <span class="s2">&quot;123456&quot;</span> &gt; vault-pass-file
<span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span>
<span class="go">ERROR! Attempting to decrypt but no vault secrets found</span>
<span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span> --vault-password-file vault-pass-file
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key2=VALUE2</span>
<span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key2={{key2}}&quot;</span> --ask-vault-pass
<span class="go">Vault password: </span>
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key2=VALUE2</span>
<span class="gp">[root@Ansible ~]#</span>
</code></pre></div>

<p>这里最后还试了一下使用密码 --ask-vault-pass 效果其实和使用 --vault-password-file 是一样的。一个是手动输入密码，一个是从文件中读取密码字符串。  </p>
<h3 id="jia-mi-bian-liang"><a class="toclink" href="#jia-mi-bian-liang">加密变量</a></h3>
<p>上面的加密方式是加密整个文件。加密后，文件中敏感的内容不敏感的内容就都看不到了，这样也很不方便。一个解决办法是把敏感的和不敏感的内容分开，写在不同的文件中，只加密敏感文件。就像之前的示例中那样。<br>
还有一个更灵活的方式，使用 ansible-vault encrypt_string 把值进行加密。  </p>
<h4 id="tong-guo-wen-jian-jia-mi"><a class="toclink" href="#tong-guo-wen-jian-jia-mi">通过文件加密</a></h4>
<p>准备好用作vault认证的文件：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault encrypt_string --vault-id vault-pass-file <span class="s1">&#39;ssh_pass&#39;</span> --name <span class="s1">&#39;key3&#39;</span>
<span class="go">key3: !vault |</span>
<span class="gp">          $</span>ANSIBLE_VAULT<span class="p">;</span><span class="m">1</span>.1<span class="p">;</span>AES256
<span class="go">          66613666353739356536663965336234383363373563353231353939303839313430616161336365</span>
<span class="go">          6662336162386231316132633365366232363936613561650a313637643339323861626364633864</span>
<span class="go">          32653666626333623961643866656235653764646333613533343231303734313862376232393734</span>
<span class="go">          6563343539393264650a653438326463646364646338656339356236383537663135633935313239</span>
<span class="go">          3664</span>
<span class="go">Encryption successful</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>参数--name，可以不写。写上后最后生成的内容就是带key的，否则只是生成值的部分，key我们也可以手动加上。  </p>
<h4 id="shou-dong-shu-ru-mi-ma"><a class="toclink" href="#shou-dong-shu-ru-mi-ma">手动输入密码</a></h4>
<p>如果不使用文件，而是要手动输入，可以将指定的文件名替换为prompt，这样就会让我们输入2次密码确认了：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault encrypt_string --vault-id prompt <span class="s1">&#39;ssh_pass&#39;</span> --name <span class="s1">&#39;key3&#39;</span>
<span class="go">New vault password (default): </span>
<span class="go">Confirm new vault password (default): </span>
<span class="go">key3: !vault |</span>
<span class="gp">          $</span>ANSIBLE_VAULT<span class="p">;</span><span class="m">1</span>.1<span class="p">;</span>AES256
<span class="go">          30666333366265346464383165373062613165666130373066613930316364363432376336613938</span>
<span class="go">          3131663337633863373539666134643661623734613330350a616661613934633335303365366266</span>
<span class="go">          36363433613334386664663839346435656534373732333632303532303939383466303662396438</span>
<span class="go">          3433633535333130350a323934373162356139363762383739386139333937666237613564313939</span>
<span class="go">          3137</span>
<span class="go">Encryption successful</span>
<span class="gp">[root@Ansible ~]#</span>
</code></pre></div>

<h4 id="jia-shang-yong-hu-biao-zhi"><a class="toclink" href="#jia-shang-yong-hu-biao-zhi">加上用户标识</a></h4>
<p>官方的文档如下：
https://docs.ansible.com/ansible/latest/network/getting_started/first_inventory.html#protecting-sensitive-variables-with-ansible-vault</p>
<p>在官方文档的示例中 --vault-id 的参数值，都是加上了用户名称表示的，加在文件名或者prompt前，用@隔开：</p>
<div class="highlight"><pre><span></span><code>$ ansible-vault encrypt_string --vault-id steed@vault-pass-file <span class="s1">&#39;ssh_pass&#39;</span> --name <span class="s1">&#39;key3&#39;</span>
$ ansible-vault encrypt_string --vault-id steed@prompt <span class="s1">&#39;ssh_pass&#39;</span> --name <span class="s1">&#39;key3&#39;</span>
</code></pre></div>

<p>貌似也没什么用，但是生成的内容中会有这个用户标识。还是尽量参考官方的建议来比较好。  </p>
<p>生成一个新的变量，将加密的值写到配置文件中：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible-vault encrypt_string --vault-id steed@vault-pass-file <span class="s1">&#39;ssh_pass&#39;</span> --name <span class="s1">&#39;key3&#39;</span> &gt;&gt; /etc/ansible/host_vars/host1
<span class="gp">[root@Ansible ~]# </span>cat /etc/ansible/host_vars/host1
<span class="go">---</span>
<span class="go">key1: vaule1</span>
<span class="go">key2: VALUE2</span>
<span class="go">key3: !vault |</span>
<span class="gp">          $</span>ANSIBLE_VAULT<span class="p">;</span><span class="m">1</span>.2<span class="p">;</span>AES256<span class="p">;</span>steed
<span class="go">          30343264386638623133383632353762356632643531643735653131663662623164303533373163</span>
<span class="go">          3032646663363765386135386362376433326131333262310a366636396233653038646133336334</span>
<span class="go">          62376532343064396639623835646563643663613530383739666239663565386364303931316637</span>
<span class="go">          6137343936636266340a306233633039323537346332336132313766383039653565646230393662</span>
<span class="go">          6332</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>这里可以看到密文上一行的内容的最后，有之前加上的用户标识信息。</p>
<p>使用的时候，使用密码还是指定文件都可以：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key3={{key3}}&quot;</span> --vault-id vault-pass-file 
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key3=ssh_pass</span>
<span class="gp">[root@Ansible ~]# </span>ansible host1 -a <span class="s2">&quot;echo key1={{key1}}, key3={{key3}}&quot;</span> --vault-password-file vault-pass-file 
<span class="go">host1 | CHANGED | rc=0 &gt;&gt;</span>
<span class="go">key1=vaule1, key3=ssh_pass</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<p>官方文档中是用 --vault-id 来指定解密用的文件的，不过试了下 --vault-password-file 也是可以的。  </p>
<h3 id="qi-ta-ji-qiao"><a class="toclink" href="#qi-ta-ji-qiao">其他技巧</a></h3>
<p>还有一些其他的相关内容。  </p>
<h4 id="shi-yong-debug-mo-kuai-jin-xing-tiao-shi"><a class="toclink" href="#shi-yong-debug-mo-kuai-jin-xing-tiao-shi">使用debug模块进行调试</a></h4>
<p>官方的建议是使用debug模块就行调试：</p>
<blockquote>
<p>To see the original value, you can use the debug module.</p>
</blockquote>
<p>之前的示例就不改了，要用debug模块，简单的可以这么使用：</p>
<div class="highlight"><pre><span></span><code><span class="gp">[root@Ansible ~]# </span>ansible host1 -m debug -a <span class="s1">&#39;var=&quot;key1,key2,key3&quot;&#39;</span> --vault-password-file vault-pass-file
<span class="go">host1 | SUCCESS =&gt; {</span>
<span class="go">    &quot;key1,key2,key3&quot;: &quot;(&#39;vaule1&#39;, &#39;VALUE2&#39;, &#39;ssh_pass&#39;)&quot;</span>
<span class="go">}</span>
<span class="gp">[root@Ansible ~]# </span>
</code></pre></div>

<h4 id="she-zhi-pei-zhi-wen-jian"><a class="toclink" href="#she-zhi-pei-zhi-wen-jian">设置配置文件</a></h4>
<p>每次都多打一个参数也是很麻烦，在配置文件中有对应的配置项，比如配置成下面这样：</p>
<div class="highlight"><pre><span></span><code><span class="c1"># If set, configures the path to the Vault password file as an alternative to</span>
<span class="c1"># specifying --vault-password-file on the command line.</span>
<span class="nv">vault_password_file</span> <span class="o">=</span> ~/vault_password_file
</code></pre></div>

<p><strong>注意：</strong>配置生效后，就不能再自己加参数指定了，否则会报错。并且这个情况不只是在解密的时候，加密的时候也一样。  </p>
<h4 id="zi-dong-sheng-cheng-sui-ji-mi-ma"><a class="toclink" href="#zi-dong-sheng-cheng-sui-ji-mi-ma">自动生成随机密码</a></h4>
<p>网上方法有很多，我觉得用 openssl 比较方便：</p>
<div class="highlight"><pre><span></span><code>$ openssl rand -base64 <span class="m">10</span>
<span class="nv">VStCUWZZ1HfVtw</span><span class="o">==</span>
$
</code></pre></div>

<p>可以直接生成一串长一点的到文件中：</p>
<div class="highlight"><pre><span></span><code>$ openssl rand -base64 <span class="m">128</span> -out vault_password_file
$ cat vault_password_file 
MGt5jsPiFSLR3AUMxiOqcFmg3emStka72Zm6oqv8oB/uxY4QzYkWVYNLYVOF2Oiq
3smsUcJJ3yhmmjOSP0Lveb+qwtJhk2wZe+T0Er4cqa3ymrRvuGrLlmips566uFfO
<span class="nv">doAYVPdrqYrKKb5IQ3VCQeX6tBBmJh972oiyVsg8XQg</span><span class="o">=</span>
$
</code></pre></div>
      </div>
      <div class="back-to-top">
        <a href="/">HOME</a>
        <a href="#top">TOP</a>
      </div>
    </article>
  </div>
<!-- end article -->
<!-- 页面往下滚动一段之后才会显示TOC -->
<script>
  window.onscroll = function() {
    var tocbox = document.getElementsByClassName('toc')[0];
    var osTop = document.documentElement.scrollTop || document.body.scrollTop;
    var osWidth = document.documentElement.scrollWidth || document.body.scrollWidth;
    // console.log(osTop)
    if (osTop>300 && osWidth>865) {
      tocbox.style.display = "block"
    }
    if (osTop<300 || osWidth<865) {
      tocbox.style.display = "none"
    }
  }
</script>
                <footer>
                    <div class="icons">
                    </div>
                    <span id="busuanzi_container_page_pv" style="padding: 10px">本文阅读量<span id="busuanzi_value_page_pv"></span>次</span>
                    <span id="busuanzi_container_site_pv" style="padding: 10px">本站总访问量<span id="busuanzi_value_site_pv"></span>次</span>
                    <span id="busuanzi_container_site_uv" style="padding: 10px">本站总访客数<span id="busuanzi_value_site_uv"></span>人</span>
                    <p>© <script>document.write(moment().format('YYYY'));</script> 749B</p>
                </footer>
        </div>
</body>
</html>